b"SEC.gov |  Password Management for the Name Relationship Search Inquiry (NRSI) System\nSearch SEC Documents\nCompany Filings | More Search Options\nSkip to Main Content\nAbout\nWhat We Do\nCommissioners\nSecurities Laws\nSEC Docket\nReports\nCareers\nContact\nDivisions\nCorporation Finance\nEnforcement\nInvestment Management\nEconomic and Risk Analysis\nTrading and Markets\nNational Exam Program\nAll Divisions and Offices\nEnforcement\nLitigation Releases\nAdministrative Proceedings\nOpinions and Adjudicatory Orders\nAccounting and Auditing\nTrading Suspensions\nHow Investigations Work\nAdministrative Law Judges\nRegulation\nProposed Rules\nFinal Rules\nInterim Final Temporary Rules\nOther Orders and Notices\nSelf-Regulatory Organizations\nStaff Interpretations\nEducation\nInvestor.gov\nCheck Out a Broker or Adviser\nInvestor Alerts and Bulletins\nFast Answers\nFile a Tip or Complaint\nPublications\nFilings\nEDGAR Search Tools\nCompany Filings Search\nHow to Search EDGAR\nRequesting Public Documents\nDescriptions of Filing Types\nInformation for Filers\nAbout EDGAR\nNews\nPress Releases\nPublic Statements\nSpeeches\nTestimony\nSpotlight Topics\nWhat's New\nNews Digest\nEvents\nWebcasts\nSpecial Studies\nPassword Management for the Name Relationship Search Inquiry (NRSI) System\nInspector General\nAbout OIG Office of Audits Office of Investigations Semiannual Reports Testimony Other Publications References Links Relevant FOIA Documents Contact Us\nThis document is an HTML formatted version of a printed document.\nThe printed document may contain agency comments, charts, photographs,\nappendices, footnotes and page numbers which may not be reproduced in this\nelectronic version.  If you require a printed version of this document\ncontact the United States Securities and Exchange Commission, Office of\nInspector General, Mail Stop 11-7, 450 Fifth Street N.W., Washington, D.C.\n20549 or call (202) 942-4460.\nAUDIT MEMORANDUM No. 27\nJanuary 29, 2003\nTo:  James McConnell\nKenneth Fogash\nFrom:  Walter Stachnik\nRe: Password Management for the Name Relationship Search Inquiry (NRSI) System\nBACKGROUND\nWe performed audit work to validate an allegation that Commission staff shared Name Relationship Search Inquiry (NRSI) passwords.  NRSI is a cross-referencing application that provides users the capability to obtain variations of similar filings information contained in a number of SEC Automated Information Systems.  The system compensates for variations in data, allowing a user to enter a partial or complete name of an individual or company and retrieve a list of records from other SEC systems, such as the Case Action Tracking System (CATS) and the Electronic Data Gathering, Analysis, and Retrieval (EDGAR) system.\nRESPONSIBLE ORGANIZATIONS\nThe Office of Information Technology (OIT) developed the NRSI system.\n1\nOIT provides operational support, maintains system hardware components, and performs required software and data maintenance.  The OIT Help Desk manages user accounts and can control the granting and revoking of access to the system.\nThe Office of the Executive Director (OED) owns NRSI.  All proposed changes to the system must be reviewed and approved by OED prior to implementation.  The Division of Enforcement (ENF) and Office of Filings and Information Services (OFIS) are the most frequent users of NRSI, however, the system is accessible and used by nearly every office within the Commission.\nUsers are required to complete an Account Request Form (SEC 2555) to obtain access to the NRSI system.   The form is manually completed and coordinated through mail distribution with the user's ADP liaison, the OIT Security Group, Division of Enforcement, and the NRSI system administrator before access is granted.  During our review, we were told that the current manual process for requesting, validating, granting, and revoking user privileges and passwords is inefficient and time consuming.  Program office and OIT personnel believe that the process needs to be streamlined and automated.  We were told that if the process was streamlined and automated, more time could be spent auditing password management.\nUsers are to comply with the password management policies prescribed in SECR 24-2.1.  Information Technology Security Program Identification, Authentication, and Passwords, dated April 24, 2001. Although the SECR provides policy for password management and use, the Commission has not developed nor does it enforce administrative sanctions for the misuse and mismanagement of passwords.\nFINDINGS\nWe determined that unauthorized users can gain access to the NRSI system and other Commission systems, such as the Electronic Data Gathering, Analysis, and Retrieval (EDGAR) system because of weak password security controls, and user noncompliance with established access control and security policies.  Specifically, we found that Commission staff within the Divisions of Enforcement and Corporation Finance:\nShared NRSI passwords; and\nLogged coworkers onto the system, and then gave the unauthorized users access to their personal workstations to perform searches.\nIn addition, analysis of user accounts for Commission staff assigned to the Division of Enforcement and Offices of Public Affairs; Investor Education and Assistance; International Affairs; Compliance, Inspections, and Examinations; and Filings and Information Services showed that:\nAt least 21 NRSI accounts were active for individuals no longer employed by the SEC;\nNRSI passwords do not expire when inactive for significant periods of time;\nNRSI users are not required to periodically change their passwords; and\nAt least 172 NRSI users did not change their default password, as required, after they first accessed the system.\nAs a result, we gained varying levels of access to the NRSI and EDGAR systems granted to at least:\n172 NRSI user accounts; and\n80 EDGAR user accounts.\nWe were able to gain access to the EDGAR system because users of the NRSI system having access to the EDGAR system used the same default password for both systems.\nWe concluded that improved technical, operational, and managerial processes and procedures are needed to improve password management within the Commission. Therefore, we are recommending the following management actions.\nRECOMMENDATIONS\nRecommendation A\nThe Office of the Executive Director (OED) should issue a memorandum instructing Commission staff to comply with existing user password policies prescribed in SECR 24-2.1.\nIn implementing this recommendation, the OED should instruct all Commission staff who are currently using default passwords to change their passwords to comply with the SECR.  Also, staff and supervisors should be reminded that failure to comply with the Commission's password management policies could result in administrative actions to include revocation of system access privileges.\nRecommendation B\nThe Office of Information Technology (OIT) should initiate a mandatory one-time user password change, at a minimum, for the 172 NRSI user accounts and 80 EDGAR user accounts included in our review.\nRecommendation C\nOIT should delete the 21 NRSI user accounts for the individuals that are no longer employed by the Commission.\nRecommendation D\nOIT, in coordination with OED, should streamline and automate the Commission's process for requesting, validating, granting, and revoking user access to Commission Automated Information Systems.\ncc: Mark Brickman\nDonna Duffrin\nGeorge Eckard\nDebra Kittredge\nDarlene Pryor\nMark Radke\nDana Schlichtmann\nLewis Walker\nThomas McCool\n1\nOIT is developing a new version of NRSI (NRSI Version 3.0), which it plans to deploy sometime within the 2\nnd\nQuarter FY 03.  Version 3.0 will contain a different authentication method that will eliminate some, but not all of the password security vulnerabilities that we identified.\nSite Map\nAccessibility\nContracts\nPrivacy\nInspector General\nAgency Financial Report\nBudget & Performance\nCareers\nContact\nFOIA\nNo FEAR Act & EEO Data\nWhistleblower Protection\nOpen Government\nPlain Writing\nLinks\nInvestor.gov\nUSA.gov\nU.S. Securities and Exchange Commission\nABOUT\nDIVISIONS\nENFORCEMENT\nREGULATION\nEDUCATION\nFILINGS\nNEWSROOM\nInspector General\nAbout OIG\nOffice of Audits\nOffice of Investigations\nSemiannual Reports\nTestimony\nOther Publications\nReferences Links\nRelevant FOIA Documents\nContact Us"